EnergySec 10th Anniversary Security Summit Presentation Archive

This year’s Annual Security Summit held in Austin, Texas from August 18-22 has concluded. Thank you to all who participated and helped make this a huge success! Be sure to mark your calendars for next year’s summit:

11th Annual Security & Compliance Summit
September 15-18, 2015
Washington, D.C.

Below you will find the presentations from all presenters and moderators. We were truly honored to have such talented people willing to come to our summit and share with out attendees. Enjoy!

August 20, 2014 – Day 3 – The Anfield Group Showcase 

An Approach to Closing the Gaps between Physical, Process Control, and Cybersecurity for the Energy and Utilities Industry
Presented by: William F. Lawrence, Ph.D., Lockheed Martin

Abstract: The energy and utilities industry needs to take extraordinary steps to protect its critical infrastructure. Gone are the days where treating physical security, process control security, and cybersecurity as separate functional areas can suffice. As the threats to our nation’s electric utility enterprises continue to rise, we must use all available information resources and security tools in highly integrated total security systems. As described in this presentation, recognizing and capitalizing upon the broad commonality of security domains across all the three security functional areas can open many more possibilities to enhance an enterprise’s defenses. Based upon this unique systems concept, already proven effective for cybersecurity, a methodology for an integrated total security defense is described that begins with threat and vulnerability intelligence-driven security processes. By extending this methodology to all three security functional areas, organizations can better organize and utilize all their security resources and processes, including threat and vulnerability information, pre-emptive defense strategies, real and near-real time situation awareness capabilities, and incident response/ recovery actions; regardless of whether they are part of the physical, process control, or cybersecurity functional areas. In addition to methods and tools for highly efficient collection and analysis of “all source” threat and vulnerability information, also described are systems approaches for fusing and correlating the high volume and wide variety of available security relevant information. These can assist the security professionals to quickly analyze and initiate actions as needed across each of the physical, control process, and cyber security areas.

From Air Gap to Air Control
Presented by: Marc Blackmer and John Ode, Cisco

Abstract: Industrial control networks have been thrust into a world of network interconnectivity the likes we haven’t seen before, and that is expanding at an astonishing rate. A cultural and technical recalibration is vital to defend ICS assets from cyber threats, and the risks and potential consequences of a successful attack against our critical infrastructure are well known, yet few would argue that these changes are slow in coming. Why is that? In part, the notion that control networks are adequately defensible against cyber attack by “air gapping” the control network from the Internet and corporate network is still believed to be the best defense.

In this presentation, the value and vulnerabilities of the air gap will be discussed, as well as specific methods to mitigate cyber threats along the attack continuum.

Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Presenter: Cale Dowell, THRIVE Intelligence

Abstract: Leveraging the technology advancements in video analytics, THRIVE Intelligence has developed an end-to-end video monitoring and management service from the camera to the Monitoring Center where video is monitored 24/7 by trained Security Intervention Specialists.THRIVE IP cameras are installed with edge-based video analytics making the camera intelligent. When an alarm or event occurs, it’s immediately reviewed by special screened, trained and certified personnel at our Monitoring Center, who will dispatch officers or first responders (if necessary), based on the event protocols set. THRIVE analytics eliminates incidents of false alarms and operator interaction ensures proper response. Live footage of events can be streamed directly to customers and to law enforcement officers en route via a smartphone, tablet, or computer. iOS and Android apps have been developed to work with the THRIVE solution.  THRIVE’s video analytics first stabilizes the image then learns the environment which allows our analytics to automatically overcome environmental conditions such as: light changes, repetitive motion, and adjustments to the image caused by rain, fog, dirt and low light.

In this presentation, THRIVE will demonstrate the capabilities of its camera analytics and our 360 solution that is offered to end users.

Event Correlation Applications for Utilities
Presenter: Brandon Dunlap, Hewlett Packard

Abstract: Today, there is a flood of data pouring into Utilities. From AMI data coming into MDM systems to trading system data, to grid management data, this sea of information makes it easy to lose sight of threats to the core business. Combining this with the additional threat intelligence information necessary to protect your business and the scope of the data problem can quickly become overwhelming. Learn how utility customers are applying event correlation to their AMI events, threat intelligence feeds, and Customer Service System events to protect against security threats, while improving business operations, and reducing costs. Additionally, learn about the fascinating future plans that utility customers have for event correlation such as:

  • Pushing physical security event correlation beyond meter tampering and into video camera control and integration
  • Correlating micro-earthquake data with meter tilt tamper events to eliminate false positive security alerts
  • Measuring voltages across meters and the associated transformer to identify theft and meter tampering

It’s an exciting time of transformation in the Utilities industry and event correlation can help drive efficiency, visibility, and security in your business.

What to Do When You Don’t Know What to Do: Control System Patching Problems and Their Solutions
Presenter: Monta Elkins, FoxGuard Solutions

Abstract: FoxGuard Solutions has encountered and resolved a wide variety of problems in our monthly work of patching control systems for our OEM clients and hundreds of power utility sites. In this presentation, we will cover a list of problems you might encounter and some real-world strategies that we have helped our clients implement to deal with them.

SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and Regulation Management
Presenters: Chris Humphreys, The Anfield Group; Henry Bailey, SAP; James Rice, Greenlight Technologies

Abstract: After a brief introduction by Mr. Humphreys, Henry Bailey will talk a few minutes about SAP’s roadmap for utilities. This will be followed by a discussion led by Chris Humphreys about the evolutionary transition from disparate point solutions to enterprise-wide, end-to-end, Regulation Management where controls are consolidated and leveraged such that compliance is a byproduct of industry best practices. Finally, Mr. Rice and Chris Humphreys will end the hour with a presentation expanding on the concept of controls consolidation and compliance as a byproduct focused on NERC CIP Ver 3-5 and NIST transitional capabilities of Regulation Management.

Lessons Learned for a Behavior-Based IDS in the Energy Sector
PresentersCliff Gregory, SecurityMatters and Dr. Jerry Crowley, Boeing

Abstract: This presentation will review lessons learned from a deployment of behavior-based intrusion detection system (IDS) on a SCADA network that was part of a large-scale energy management system.  The IDS architecture, sensor features, and sensor placement within the target SCADA environment proved to be key for successful detection of malicious activity. Challenges included simultaneous monitoring of multiple SCADA protocols (DNP3 and ICCP) across multiple network segments; monitoring of both encrypted and unencrypted network traffic; adapting to slow environment changes to minimize false positive output; and integration of the behavior-based IDS output into an existing monitoring system/SIEM.

Essential Power Case Study: Protecting Critical Infrastructure From Cyber Attacks
Presenter: Stephen Theodos, Essential Power

In May, 2014 the US Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued a report confirming several recent attacks on public utilities from the first quarter of 2014.  DHS confirmed that a sophisticated threat actor gained unauthorized access to an unnamed public utility’s control system network.

Incidents of this type haven’t been as widely publicized as recent retail breaches, but it is believed by many that there are far more incidents occurring within the Energy Sector than are heard about in the press. Lack of enforced and implemented policy and compliance, poor capability for early detection of threat indicators, and lack of visibility and automation may all be contributing to failure in rapidly detecting attacks and breaches.

Essential Power™ (formerly known as North American Energy Alliance) is a wholesale power generator and marketer providing electric energy and located in the North Eastern United States. Essential Power will share a case study on its own journey towards achieving NERC CIP compliance within a very short five-month timeline, and how they did it.

August 21, 2014 – Day 4 – Summit Presentations

Keynote – Beyond Public Private Partnerships: Collaboration, Coordination and Commitment as key aspects in Industrial Cybersecurity
Keynote Speaker: Samuel Linares, Director at Industrial Cybersecurity Center

Abstract: The industrial cybersecurity landscape is complex and formed by very different actors (industrial organizations, critical infrastructures, EPC companies, industrial and cybersecurity vendors, consultancy companies, integrators, academia, public bodies and governments), with very different interests and objectives and different maturity levels, even internally in each organization, so there’s no way to go alone in the way of protecting these industrial and critical infrastructures adequately. Interdependencies, multidisciplinary, multiple supply chains and lack of common reference make even more complex the task of advancing in the right way.

Public Private Partnerships (PPP) are recognized as a key aspect on improving Industrial Cybersecurity and Critical Infrastructure Protection, but PPP usually is a formal and structured way of communication and collaboration between organizations, that is not necessary followed by the persons in charge or being part of those organizations.

In this presentation, we are proposing a new concept: C3R, “Collaboration, Coordination and Commitment based Relationships”, as the base for building a global community for protecting our Industrial and Critical Infrastructures and explaining the keys of the success of such an approach.

Sea Changes, Strategic Implications, Board Cyber Perspectives
Presenter: Paul Feldman, Board Director of the Midcontinent ISO (MISO) and EnergySec

Abstract: Mr. Feldman will lead us on a path to help us think about the “Sea Changes” happening in the energy sector from a strategic perspective, implications for the energy companies and cybersecurity from a Board of Directors governance viewpoint. This will include future direction concept that will address suggestions on where Regulators such as NERC should be heading with regard to security and other associated issues to feed your thoughts.

Open Platform for ICS Cybersecurity Research and Education
Presenter: Matt Luallen, Dragos Security and CYBATI

Abstract: The CybatiWorks open platform serves as an educational environment for cyber-physical systems.  The living laboratory platform uses low cost I/O, embedded devices, virtual machines and authentic automation protocols for participant cybersecurity education.  The platform incorporates the Raspberry PI, PiFace I/O, Elenco Snap-Circuits, Fischertechnik components and an ICS-ified Kali Linux called CybatiWorks-1 to allow participants to build, break and cybersecure small control environments.  CYBATI has performed years of research to develop this platform and is making it available for early access, school sponsorship and integrated education via the Kickstarter project announced during the session.

Industry Reliability and Security Standards Working Together
Presenters: Matt Davis and Josh Axelrod, E&Y

Abstract: It’s never too early to start thinking about where the standards are going and where your program should be heading. This presentation will discuss how energy organizations should consider furthering alignment to NIST 800-53 Rev 4; focusing on security maturity opportunities such as threat management; addressing third parties and vendors and developing processes to help satisfy control-based security objectives.

Red Teaming and Energy Grid Security 
Presenter: Mike Frederick, SC Public Service Authority Law Enforcement Division

Abstract: The informative and entertaining discussion is presented by a 26 year military and law enforcement veteran and former federal counterterrorism operative (now working as a state law enforcement agent responsible for critical energy infrastructure protection), and details the emergence of Red Cell activities and Red Teaming as a valuable form of alternative assessment for use in securing the American energy grid. A widely accepted and established practice in military and intelligence circles, Red Teaming is slowly moving into law enforcement and the private sector, and is now being utilized as a key vulnerability and threat assessment tool by state law enforcement agencies, Fortune 500 companies, and national laboratories.

The presentation features actual case studies and explains the key reasons energy producing organizations should utilize Red Teaming, including the avoidance of groupthink, complacency reduction, eliminating information silos, collective sense-making, addressing the correctly balanced approach to high impact/low frequency (5 sigma) events, and the integration of CIP compliance into a realistic physical security posture.

The brief outline details the key questions answered by Red Cell exercises: What do our adversaries want, how will they try to meet their goals, and how do we most effectively stop them? Attendees will become familiar with the basic techniques utilized in Red Teaming, including interdisciplinary teams, structured analysis, and physical exercises/penetration testing. Finally, the presentation provides a brief after-action report detailing the Red Cell Exercise conducted by the SC Public Service Authority in November 2013. That exercise addressed dam/dike sabotage, criminal targeting, executive safety, terrorism (domestic and transnational), insider threats, physical attacks on energy grid infrastructure, and workplace violence.

Third Party Security Testing for Advanced Metering Infrastructure Program
Presenters: Steve Vandenberg and Robert Hawk, BC Hydro

Abstract: In July 2010, BC Hydro, the electric utility and grid operator of British Columbia began implementation of its AMI program, formally known as the Smart Meter & Infrastructure (SMI)  program. The SMI program transformed BC Hydro from a traditional metering utility to a smart metering utility by implementing smart meters on the customer service points. It was the first step in the smart grid transformation.

The SMI program required the introduction of many new devices and applications into BC Hydro’s infrastructure. Some of these had never been deployed before anywhere in the world. Many were field deployed, outside of BC Hydro’s physical security perimeter.

The SMI Security Delivery Team was formed to deliver on these commitments and to take responsibility for the end to end security of the SMI program. The Team implemented a multi-pronged approach to securing SMI including security risk
assessments, security penetration testing by the team, design reviews, whole project risk assessments and third party security penetration testing.

A standards based approach was required to ground the test plan both in best practice and in a common set of principles that BC Hydro and its vendors could accept. The Advanced Metering Infrastructure (AMI) Risk Assessment document prepared by the Advanced Metering Infrastructure Security (AMI-SEC) Task Force was used as a basis for the test plan. This document has since been passed to the National Institute of Standards and Technology (NIST) Cyber Security Working Group and was integrated into NIST IR 7628. NIST IR 7628 contains a comprehensive list of possible threats to AMI systems.

The program was highly successful. Test results informed BC Hydro’s deployment decisions and allowed the manufacturers to improve their products. Lessons were learned about how best to conduct third party security testing. A full lessons learned section is included in the presentation.

What the Department of Defense and Energy Sector Can Learn from Each Other
Presenter: Brian McKay, Booz Allen Hamilton

Abstract: This presentation will discuss how the Department of Defense executes its critical infrastructure protection program, where it intersects with energy sector CIP efforts and what we can learn from each other.

CIP-014-1: Next Steps from an Auditor’s Perspective
Presenter: Darren T. Nielsen, Western Electricity Coordinating Council (WECC)

Abstract: A walk-through by an experienced security practitioner with years of relevant industry experience in physical security, compliance, and NERC CIP auditing on how to identify and protect Transmission stations and Transmission substations in accordance with NERC CIP-0014-1. This session will aid you in preparing for the assessment and evaluation process of the potential threats and vulnerabilities of a physical attack. This course is perfect for both professionals involved with NERC CIP physical security and compliance personnel seeking to gain an understanding of the new physical security standard and how to avoid potential pitfalls.


Comments are closed.